Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict
A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.
But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.
Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.
“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.
“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”
Signs of activity
In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.
In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.
“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”
The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.
But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.
Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.
Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”
There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.
Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.
There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.
How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.
But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.
Even low-level defacement or distributed denial-of-service attacks can play a role.
“Coming into work and finding an Iranian flag on your workstation would be a little bit disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.
Possible follow-up impacts
While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.
The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.
While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.
He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.
“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”
Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.
“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”
Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.
“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.
“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”
